[Openswan dev] KLIPS and 802.1q

[Tino Keitel]

On Wed, May 30, 2007 at 10:46:25 +0200, Tino Keitel wrote:
> On Tue, May 29, 2007 at 22:19:09 -0400, Paul Wouters wrote:
> > On Tue, 29 May 2007, Mikhail Pustovit wrote:
> > 
> > > I have the same problem on 2.6.18 kernel and Openswan 2.4.7.
> > > When using KLIPS, and ipsec0 is pointed to VLAN interface
> > > (interfaces="ipsec0=vlan0010"), tunnel establishes connection,
> > > but can't transmit any data. TX errors counter on ipsec0 increases
> > > with each packet transmitted.
> > 
> > It should work fine. Can you enable klipsdebug briefly to see what is
> > happening:
> > 
> > ipsec klipsdebug --all
> > [send a few packets]
> > ipsec klipsdebug --none
> > 
> > Be carefull, this will generate a LOT of logs per packet.
> > 
> > It should give some information as to why the packets are being dropped.
> 
> Hi,
> 
> I already gave some information where the packets disappear, see my
> first mail in this thread (Message-ID:
> <20070521143004.GC8788 at tkeitel002.bln.innominate.local>). The kernel
> tries use eth0 for routing, instead of the VLAN interface, and fails.

I looked into it again. Openswan supplies a struct flowi to
ip_route_output_key():

	struct flowi fl;
 	fl.oif = ixs->physdev->iflink;
 	if ((ixs->error = ip_route_output_key(&ixs->route, &fl))) {


The kernel then uses fl->oif to get the
physical device:

dev_out = dev_get_by_index(oldflp->oif);

However, eth0 and eth0.0004 (my VLAN interface) share the same iflink
number:

$ cat /sys/class/net/eth0/iflink /sys/class/net/eth0.0004/iflink
2
2

So the kernel uses the first interface that has this iflink number,
which is eth0. Then the kernel tries to route the packet over eth0, and
fails.

Could it be that the line

fl.oif = ixs->physdev->iflink;

should actually be

fl.oif = ixs->physdev->ifindex;

because the ifindex number is different for both interfaces? The
dev_get_by_index() usage also looks like ifindex is more appropriate
than iflink.

Regards,
Tino